#!/bin/sh

## Please make changes in /etc/firewall.user

. /etc/functions.sh
WAN=$(nvram get wan_ifname)
LAN=$(nvram get lan_ifname)
WL=$(nvram get wl0_ifname)

. /etc/default/charon

## CLEAR TABLES
for T in filter nat mangle; do
  iptables -t $T -F
  iptables -t $T -X
done

iptables -N input_rule
iptables -N output_rule
iptables -N forwarding_rule

iptables -t nat -N prerouting_rule
iptables -t nat -N postrouting_rule

iptables -N charon-input
iptables -N charon-forward
iptables -N charon-filter
iptables -t mangle -N charon-prerouting
iptables -t mangle -N charon-forward
iptables -t mangle -N charon-inbound
iptables -t mangle -N charon-outbound
iptables -t mangle -N charon-quota
iptables -t nat -N charon-prerouting

### INPUT
###  (connections with the router as destination)

  # base case
  iptables -P INPUT DROP
  iptables -A INPUT -m state --state INVALID -j DROP
  iptables -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
  iptables -A INPUT -p tcp --tcp-flags SYN SYN --tcp-option \! 2 -j  DROP

  #
  # insert accept rule or to jump to new accept-check table here
  #
  iptables -A INPUT -i $WL -j charon-input
  iptables -A INPUT -j input_rule

  # allow
  iptables -A INPUT ${WAN:+\! -i $WAN} -j ACCEPT	# allow from lan/wifi interfaces 
  iptables -A INPUT -p icmp	-j ACCEPT	# allow ICMP
  iptables -A INPUT -p gre	-j ACCEPT	# allow GRE

  # reject (what to do with anything not allowed earlier)
  iptables -A INPUT -p tcp -j REJECT --reject-with tcp-reset
  iptables -A INPUT -j REJECT --reject-with icmp-port-unreachable

### OUTPUT
### (connections with the router as source)

  # base case
  iptables -P OUTPUT DROP
  iptables -A OUTPUT -m state --state INVALID -j DROP
  iptables -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT

  #
  # insert accept rule or to jump to new accept-check table here
  #
  iptables -A OUTPUT -j output_rule

  # allow
  iptables -A OUTPUT -j ACCEPT		#allow everything out

  # reject (what to do with anything not allowed earlier)
  iptables -A OUTPUT -p tcp -j REJECT --reject-with tcp-reset
  iptables -A OUTPUT -j REJECT --reject-with icmp-port-unreachable

### FORWARDING
### (connections routed through the router)

  # base case
  iptables -P FORWARD DROP 
  iptables -A FORWARD -m state --state INVALID -j DROP
  iptables -A FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
  iptables -A FORWARD -j charon-forward
  iptables -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT

  #
  # insert accept rule or to jump to new accept-check table here
  #
  iptables -A FORWARD -j forwarding_rule

  # allow
  iptables -A FORWARD -i br0 -o br0 -j ACCEPT
  iptables -A FORWARD -i $LAN -o $WAN -j ACCEPT

  # reject (what to do with anything not allowed earlier)
  # uses the default -P DROP

### MASQ
  iptables -t nat -A PREROUTING -j charon-prerouting
  iptables -t nat -A PREROUTING -j prerouting_rule
  iptables -t nat -A POSTROUTING -j postrouting_rule
  iptables -t nat -A POSTROUTING -o $WAN -j MASQUERADE

### Funkiness
  iptables -t mangle -A PREROUTING -j charon-prerouting

### Charon
  insmod ipt_quota

  iptables -t mangle -A charon-prerouting -i $WL -m mark --mark 0/0x3000 -j MARK --set-mark 0x2000
  iptables -t mangle -A charon-prerouting -i $WL -j charon-outbound
  iptables -t mangle -A charon-prerouting -m mark --mark 0x2000/0x3000 -j charon-quota

iptables -A charon-forward -m mark --mark 0x2000/0x3000 -o $WL -j charon-filter
iptables -A charon-forward -m mark --mark 0x2000/0x3000 -i $WL -j charon-filter

iptables -t mangle -A charon-forward -o $WL -m mark --mark 0/0x3000 -j MARK --set-mark 0x2000
iptables -t mangle -A charon-forward -o $WL -j charon-inbound
iptables -t mangle -A charon-forward -m mark --mark 0x2000/0x3000 -j charon-quota
    
iptables -t mangle -A FORWARD -j charon-forward

# permit charon's managed traffic
  iptables -A FORWARD -i $WL -o $WAN -j ACCEPT
# for testing - probably? will allow foreign users access to LAN unless elsewhere blocked...
  iptables -A FORWARD -i $WL -o $LAN -j ACCEPT

## USER RULES
[ -f /etc/firewall.user ] && . /etc/firewall.user
[ -e /etc/config/firewall ] && {
	awk -f /usr/lib/common.awk -f /usr/lib/firewall.awk /etc/config/firewall | ash
}
